Security vs control

Let’s start by being absolutely clear about the difference between access control and access security. The principal role of an access control system is to control and monitor the movement of people into, out of, and possibly within a building and premises. It fulfils the requirements for users who want a record of when people enter and leave a building so that they can use this for checking time keeping, or for a roll call in the event of an emergency.

An access control system is not necessarily designed to make the building – or specific areas within it – secure against unauthorised intruders, although it may, almost incidentally, provide a modest degree of security. If, however, the installation is to provide protection against determined attempts to gain unauthorised access to controlled buildings and areas, it must be designed from the ground up to provide an appropriate level of protection.

Provided that this is achieved, there is no reason why the system should need to be supplemented by secondary security access control measures (other than an intruder system). It is, however, essential that the products used in an access security system be chosen appropriately. One of the most important products to consider is the access card or tag, so let’s look at the most important card technologies on offer.

Cards on the table

The oldest and simplest of these is the magnetic-stripe card that is swiped through a reader. The main benefit of this system is that cards, readers and programmers are cheap and readily available. Unfortunately, from a security point of view, these benefits are also the system’s weaknesses.

It is very easy for anyone with even a modest amount of electronics know-how to build a homemade reader that will capture the data contained in the magnetic stripe of any card swiped through it. It’s just as easy to build a card programmer that will write that data to a new unprogrammed card, producing a cloned card with all of the functionality of its legitimate counterpart. The parts needed to build the reader and programmer are easy to acquire and inexpensive. Clearly, magnetic stripe cards are totally unsuited for use in access security systems, although they may have limited applications in access control. Even there, however, in comparison to newer technologies, they have limitations.

For example, the swiping process results in wear on the readers and on the cards, so regular replacements are needed. In addition, swipe cards are a bad choice for use out of doors or in dusty environments, as rain or contamination on the card can prevent it from working.

To overcome these shortcomings, access system manufacturers have, in the main, turned to proximity tags, which can also be referred to as hands-free tags. Based on RFID (radio frequency identification) technology, these tags effectively incorporate a tiny radio receiver coupled to an equally tiny transmitter.

What’s the frequency?

There are two ways to achieve the transmission of data: 1) When the receiver within the tag sees a signal from the reader, it turns on the transmitter in the tag, which sends a code from the tag back to the reader – often known as Active technology. 2) Using the RF field emitted by the reader, the tag uses this as a power source and then transmits this back to the reader, known as Passive technology.

Obvious benefits are that the tag never has to touch the reader, so wear and contamination related problems are eliminated. It is also much more convenient for users to present their tag near the reader rather than having to swipe a card through it. But what of security? The answer is that it rather depends, as all RFID tags are most certainly not created equal.

The older and most traditional types of proximity tag work at low frequencies in the range 60 to 132kHz, and can hold a relatively small amount of data, typically 64 bits. One common implementation is known as the EM tag. This is an open standard which uses a globally recognised data format. While this may sound like a benefit, since it means that EM tags and readers are readily available from any number of suppliers, in truth it means that the security they provide is no better than that of a magnetic stripe card.

Arguably it’s worse, as EM tags transmit and receive on the same frequency. It’s not too difficult, therefore, to build a scanner that will scan for tags and read the data on them without the tag’s owner even removing it from their pocket! However, on price performance these are ideal for low security applications.

It might be expected that the newer higher frequency generation of “smart-card” tags, would provide better security. Certainly, they can store much more data – typically up to 4Kb – and the “readers” can write data to them as well as reading data from them.

These features undoubtedly make smart-card tags very versatile. As well as being used for access control functions, they can, for example, be used to monitor time and attendance, and even as a payment mechanism for on-site facilities such as staff restaurants or vending machines. Unfortunately, extra data storage and higher operating frequency do not, in themselves, automatically lead to enhanced security.

The problem once again is that smart tags, whilst being very versatile, are generally not used to their full potential. Whilst they can be securely programmed, more often than not this function is not utilised and the default chip serial number is the only identifier to the reader – which means that it would be possible for this to be cloned and the data replicated.

Avoid standardised products

If magnetic stripe cards, low-frequency proximity tags and smart-card tags are almost equally ineffective in access security applications, what is the solution? The answer may be surprising – it’s to avoid standardised products whose open technology will always be their Achilles heel, and to adopt one of the proprietary tag technologies that have been specifically developed to offer high levels of security.

Some installers may send up a howl of protest at this suggestion. After all, doesn’t the use of open technology tags conforming to published standards mean that they can be bought from multiple sources, and that volume production will keep prices down?

Yes, it does, but ask yourself this question – if you were constructing a safe, would you choose a readily available cylinder lock like the one on your front door, which can be bought off the shelf, or would you choose a proprietary lock specially designed for the job? Sometimes, proprietary solutions are the right solutions and, these days, the price premiums over good quality “standard’ products can be surprisingly modest. Let’s have a look at what users might expect from a good proprietary tag system.

The tag will basically work in the same way as other low-frequency RFID tags, but it will offer a number of important refinements, like multiple codes per tag. In one proven example, the tag stores four separate codes. The first code is the tag’s so called “distributor code” which uniquely identifies it to the client system. This code is verified to be the same as is held in the system’s hardware before interrogating its remaining three codes. These codes are automatically entered by the tag programmer and are unique to that particular programmer. This means that, even if a genuine programmer with a different code were used in an attempt to produce a duplicate tag, the distributor code check would fail and no further tag interrogation would be made.

The second code is the site code and is of particular benefit to organisations that operate across multiple sites. This code allows individuals to move between pre-determined sites but will not allow access if the site code for their tag has not been added into the ‘system’ at other locations than their normal place of work.

The third code is the tag “issue state”, providing an option to allocate a tag number to a specific individual. If the tag is lost the “issue state” will be altered incrementally, but the tag number remains the same. For instance, an individual has a tag numbered 12345, issue state 1. If they lose it they are given tag number 12345, issue state 2, and the system will only allow access to that card with issue state 2.

The fourth and final code is the more traditional card number and, coupled with the site code and issue state code, is the unique identifier to the system. This multiple code approach goes a long way towards guaranteeing security, but there are other features that can be added. For example, the use of a further data encryption layer in the tag code reading process makes it impossible, for all practical purposes, to scan a tag and duplicate it since, without the encryption key, the data received by a scanner is meaningless.

Another layer of security can be added quite simply by arranging for the tag to receive its wake-up signal on one frequency, and transmit its reply on another. Even if a scanner were able to mimic the wake-up signal, the chances of it also receiving the response would be minimal.

Proprietary RFID tags with strong encryption are clearly essential for access security, although it should be noted that standard proximity tags of the commonly available types are a perfectly adequate and cost effective choice in many applications where access control is all that is needed.

Complementary readers

The tags are, of course, not the only components of an access control system that have a bearing on the security. The readers also play a big role, not least because they must complement the encoding/decoding functions of the tags themselves. There have also been attempts to defeat readers without using a tag, simply by bombarding them with sequentially numbered codes until the correct one is found.

Since the latest proprietary tags offer no fewer than 6 billion possible code combinations, producing the right combination by trial and error is almost impossible. It can be made completely impossible, however, if the reader has a built in delay. Set to a second or two, this is unnoticed by the normal tag user but, if a code generator has to wait even a second between trying each of the 6 billion codes, it is going to take a little over 19 years to cover all the possibilities.

Automatic tag expiry

A final refinement now being offered by better systems is automated tag expiry. A small but significant security risk is posed by tags that have been issued but, for some reason, are no longer being used. For example, temporary staff tags expire at the end of their contracted assignment.

This isn’t the same as lost tags that will usually be reported and disabled very quickly. Instead it’s those tags that are sitting in drawers and wallets because the person to whom they were issued has no more use for them. With automatic expiry, tags are disabled if they are not used for or after a pre-determined period.

It has recently been reported in the USA that it is possible to decode and breach the security offered by certain types of proximity tag. This may be true for standard tags, because so much information about how they work is in the public domain, and the equipment to work with them is so readily available. With proprietary tags, the situation is very different – there’s no published information, and the programming equipment is only available through approved suppliers.

The conclusions are straightforward. Think very carefully at the outset about whether the installation is to offer access control or access security and, if it is the latter, go for a proprietary solution that has real “security” designed in.